Professional Documents
Culture Documents
Exida Contacts
Singapore
Vietnam
Hong Kong
Australia / NZL
Germany
USA
Canada
United Kingdom
Netherlands
Switzerland
Mexico
South Africa
Copyright exida Asia Pacific 2014
What is?
Todays Objective
Introduce Process Safety Concepts and Essential Principles
AsiaPacific@exida.com
AsiaPacific@exida.com
Flixborough 1974
Seveso 1976
28 Dead, 36 Injured
Bhopal 1984
AsiaPacific@exida.com
Still happening.
AsiaPacific@exida.com
Changes after
Commission
Source Health, Safety & Environmental Agency
AsiaPacific@exida.com
Note: The Lord Cullen report was the detailed study of the Piper
Alpha accident commissioned by the English government.
AsiaPacific@exida.com
Which Standard?
AsiaPacific@exida.com
Which Standard?
ISA
S84.01
DIN V 19250
EWICS
NAMUR
HSE
PES
IEC61508
Functional safety of electrical/electronic/programmable
electronic safety-related systems
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
Which Standard?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
AsiaPacific@exida.com
10
Which Standard?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
AsiaPacific@exida.com
11
Which Standard?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
AsiaPacific@exida.com
12
Which Standard?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
AsiaPacific@exida.com
13
Which Standard?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
AsiaPacific@exida.com
14
AsiaPacific@exida.com
15
Prescriptive/Functional Standards
Prescriptive Standard
Tells you what to do
(RP) 14C,
Section A.4
30 CFR 250.802(b). Exclusion of pressure safety high (PSH) and pressure safety low (PSL) sensors on
downstream vessels in a production train
As specified in American Petroleum Institute
you(API)
must
Recommended
install aPractice
PSH sensor
(RP) 14C, Section
to provide
A.4, you must
over-pressure
install
a PSH sensor to provide over-pressure protection for a vessel. If an entire production train operates in the same
protection for a vessel
pressure range, the PSH sensor protecting the initial vessel will detect the highest pressure in the production
train, thereby providing primary over-pressure protection to each subsequent vessel in the production train. The
intent of API RP 14C is not compromised under this scenario. Therefore, you may use API RP 14C Safety Analysis
API RPPSH
14C
Safety
(SAC)
Checklist (SAC) reference A.4.a.3 to exclude all subsequent
sensors
other Analysis
than the PSH Checklist
sensor protecting
the
initial vessel in a production train.
AsiaPacific@exida.com
16
Prescriptive/Functional Standards
Prescriptive Standard
Tells you what to do
IEC 61511
7.1.1.2 No further guidance provided.
Functional Safety Safety Instrumented Systems for the Process
7.1.1.3 It is important that the results of verification are available so that it can be
demonstrated
that effective verification has
Industry
Sector
taken place at all phases of the safety lifecycle.
8 Process Hazard and Risk Analysis
8.1 Objectives
IEC
615111
recognizes
that organiza
ons
havelevels
their
The overall objective here is to 7.1.1.1
establish the
need
for safety functions
(e.g., protection
layers) together
withwill
associated
of own
performance (risk reduction) that
are needed to ensure
a safe process. Itand
is normal
in the
process
sector to
multiple
procedures
for verification
does
not
require
ithave
always
tosafety
be carried
layers so that failure of a single layer will not lead to or allow a harmful consequence. Typical safety layers are represented in
out in the same way.
Figure 9 of IEC 61511-1.
8.2 Requirements (guidance to IEC 61511-1 only)
8.2.1
requirements
for
hazard
andThis
risk
analysis
8.2.1 The requirements for hazard and risk analysis
areThe
specified
only in terms of the
results
of the task.
means
that an are
organization may use any technique that it considers
to be effective,
provided
it resultsof
in athe
clear results
descriptionof
of safety
functions
specified
only
in terms
the task.
and associated levels of performance.
Copyright 2013 exida
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
17
Performance Targets
Safety Integrity
Level
Probability of failure
on demand (PFD)
per year
Risk Reduction
Factor
SIL 4
>=10-5 to <10-4
100000 to 10000
SIL 3
>=10-4 to <10-3
10000 to 1000
SIL 2
>=10-3 to <10-2
1000 to 100
SIL 1
>=10-2 to <10-1
100 to 10
AsiaPacific@exida.com
18
AsiaPacific@exida.com
19
Management and
Planning
Analysis Phase
Realization Phase
AsiaPacific@exida.com
20
Management and
Planning
AsiaPacific@exida.com
21
Design Guidelines
Interface Management
AsiaPacific@exida.com
22
Safety Assessment
Verification and Validation
Verification
Activity of demonstrating for each phase of the safety lifecycle by analysis
and/or tests that, for the specific inputs, the deliverables meet the
objectives and requirements set for the specific phase.
Safety Requirements
Validation
Task Objectives
Verification
Validation
Task
Task Objectives
Verification
Task
Safety System
Minimum Level of
Independence
Independent Person
HR
HR1
NR
NR
Independent Department
--
--
HR1
NR
Independent Organization
--
--
HR2
HR
NOTE Depending upon the company organization and expertise within the company, the requirement for
independent persons and departments may have to be met by using an external organization. Conversely, companies
that have internal organizations skilled in risk assessment and the application of safety-related systems, which are
independent of and separate (by ways of management and other resources) from those responsible for the main
development, may be able to use their own resources to meet the requirements for an independent organization.
AsiaPacific@exida.com
23
Personnel Competency
Persons, departments, or organizations involved in
safety lifecycle activities shall be competent to carry out
the activities for which they are accountable.
-IEC 61511, Part 1, Paragraph 5.2.2.2
AsiaPacific@exida.com
24
Management and
Planning
Analysis Phase
AsiaPacific@exida.com
25
What is Risk?
Risk is a measure of the likelihood and
consequence of an adverse effect.
1. How often can it happen?
2. What will be the effects if it does?
Financial Risk
Risk Receptors:
Personnel
Environment
Financial
Equipment/Property Damage
Business Interruption
Business Liability
Company Image
Lost Market Share
AsiaPacific@exida.com
26
High Risk
No way
UK HSE Tolerability
of Risk framework
Individual risk: frequency an
individual may receive a given
level of harm (usually death) from
the outcome of specified hazards
Intolerable Region
10-3/yr (workers)
If its worth it
10-4/yr (public)
ALARP or Tolerable
Region
10-6/yr
We accept it
Copyright exida Asia Pacific 2014
Broadly Acceptable
Region
Negligible Risk
AsiaPacific@exida.com
27
Permanent Many
Injury/Death Deaths
1 per 100
years
Acceptable
Moderate
Extreme
Extreme
1 per 1000
years
Acceptable
Acceptable
Moderate
Extreme
1 per 10,000
years
Acceptable
Acceptable
Moderate
Moderate
Acceptable
Acceptable
Moderate
Example Only
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
28
Causes
Consequences
Safeguards
Recommendations
2) Operator intervention on
high pressure alarm
3) Mechanical Design
2) Shutdown SIS
AsiaPacific@exida.com
29
AsiaPacific@exida.com
30
HAZOP ANALYSIS
GW
DEVIATION
CAUSES
CONSEQUENCES
SAFEGUARDS
REF#
RECOMMENDATIONS
No
No Agitation
Agitator motor
drive fails
Non-uniformity leads to
runaway reaction and possible
explosion. Agitator failure is
indicated by high reactor
temperature and high
pressure.
More
Higher
Temperature
Temperature
control failure
causes
overheating
during steam
heating
More
Higher Level
Flow control
failure allows
the reactor to
overfill
BY
AsiaPacific@exida.com
31
No
Deviation:
No Agitation
Causes:
Consequences:
Ref #
Recommended
Actions:
Add a pressure safety relief valve If necessary, add a depressurization SIF. Use LOPA to determine required SIL.
By:
CMF
Safeguards:
AsiaPacific@exida.com
32
Pressure SIF
AsiaPacific@exida.com
33
SIL 1
SIL 2
SIL 3
DETOUR
Safety Standards for Process Industry
SAFETY LIFECYCLE
SIL SELECTION
AsiaPacific@exida.com
34
SIL 4
SIL 3
SIL 2
SIL 1
3. To establish engineering
procedures to prevent
systematic design errors
AsiaPacific@exida.com
35
Safety Integrity
Level
SIL 4
100000 to 10000
SIL 3
10000 to 1000
SIL 2
1000 to 100
SIL 1
100 to 10
1. Each safety
instrumented
function has a
requirement to
reduce risk. The
order of
magnitude level of
risk reduction
required is called
a SIL level.
AsiaPacific@exida.com
36
Probability of failure on
demand
SIL 4
>=10-5 to <10-4
SIL 3
>=10-4 to <10-3
SIL 2
>=10-3 to <10-2
SIL 1
>=10-2 to <10-1
2. A Safety Function
meets a SIL level if
a calculated
probability falls
within the
associated band on
one of two different
charts. This view
looks at RANDOM
FAILURES.
37AsiaPacific@exida.com
37
Safety Integrity
Level
SIL 4
SIL 3
SIL 2
SIL 1
3. To establish engineering
procedures to prevent
systematic design errors
The equipment used to implement
any safety instrumented function
must be designed using
procedures intended to prevent
systematic design errors. The rigor
of the required procedure is a
function of SIL level.
AsiaPacific@exida.com
38
AsiaPacific@exida.com
39
Outcome considerations
1. The only outcome of interest is accident occurs
2. All branches where protection layers are successful end in
termination of analysis
Tolerable
Risk Level
Other
Risk inherent
in the process
Mech
SIS
Alarms
BPCS
Process
Risk
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
40
Protection
Layer 1
Protection
layer 2
Protection
Layer 3
Final
Outcome
PL3 Fails
Accident Occurs
PL2 Fails
PL1 Fails
Init Event
PL3 Success
PL2 Success
PL1 Success
No Impact Stop
No Impact Stop
No Impact Stop
1. Proceed with event tree, but only calculate the probability of accident
2. The Accident is initiating event frequency multiplied by PFD of all
protection layers
AsiaPacific@exida.com
41
AsiaPacific@exida.com
42
INITIATING EVENT PL #1
PL #2
PL#3
Agitator Motor
Batch not Operator Adding
Fails
running Response Shortstop
PL#4
OUTCOME
Pressure
Explosion
relief valve
Explosion
No Event
AsiaPacific@exida.com
43
= 29% of
the year.
AsiaPacific@exida.com
44
INITIATING EVENT PL #1
PL #2
PL#3
Agitator
Batch in Operator Shortstop
Motor Fails
Operation Response Fails
PL#4
OUTCOME
Pressure
Explosion
Relief Valve
0.07
1.02E-04
0.1
Explosion
0.1
0.29
0.5 /yr
No Event
AsiaPacific@exida.com
45
Severity
Definition
Tolerable
Frequency
(events/year)
Extensive
10-5
Severe
Multiple medical
treatment case injuries
10-4
Minor
10-3
AsiaPacific@exida.com
46
Expected event
Frequency
1.02x10-4
SIF
Relief Valve
Shortstop
Alarms
Batch Not
in Operation
Process
Risk
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
47
AsiaPacific@exida.com
48
Tasks
The SRS is the critical documentation for System Implementation & Testing
The SRS is the point of reference during the Operations phase
The better the SRS:
The better communication during the project
The more informed the change impact assessment for modifications.
AsiaPacific@exida.com
49
SRS Elements
SIS General
Non-Functional
Regulations & Standards
Failure, Start & Restart
Interfaces
Environmental conditions
SIF Specific
Sensor(s)
Logic Solver
Final Element(s)
SIF General
Maintenance Overrides
Manual Shutdown
Operating Modes
Failure Modes
Reset
Diagnostics
Identification
Description/Duty/P&ID
Safe State
Required SIL
Proof Test Interval
Response Time
Architecture Summary
Mode of Operation
Energize or De-energize
Demand or Continuous
AsiaPacific@exida.com
50
Example Only
Example Only
Cause-and-Effect Diagrams
Strengths Low level of effort, clear visual
representation
Weaknesses Rigid format (some
functions can not be represented w/ C-E
diagrams), can oversimplify
Example Only
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
51
Management and
Planning
Analysis Phase
AsiaPacific@exida.com
52
Management and
Planning
Analysis Phase
Realization Phase
AsiaPacific@exida.com
53
CPU
Output Input
Module Module
SIS
Equipment Under
Control (EUC)
Power
Supply
Basic Process
Control System (BPCS)
AsiaPacific@exida.com
54
Logic
Solver
Sensors
Final elements
AsiaPacific@exida.com
55
SIF 1
Sensors
SIF 2
Final elements
3
SIF 3
Logic
Solver
SIF 4
7
SIF 5
An SIS includes
several Safety
Instrumented
Functions (SIF)
AsiaPacific@exida.com
56
Safety Instrumented
Function
Safety Instrumented
Function
Safety Instrumented
Function
AsiaPacific@exida.com
57
Sensors
Sensing
Element
Signal
Conditioning
Sensing
Sensor
Element
Signal
Conditioning
Sensing
Element
Logic Solver
Final Elements
Signal
Conditioning
Circuit Utilities
i.e. Electrical Power,
Instrument Air etc.
Final Control
Element
Final Control
Element
Interconnections
AsiaPacific@exida.com
58
RANDOM
Failures
SYSTEMATIC
Failures
Random Failures?
Systematic Failures?
AsiaPacific@exida.com
59
Systematic Failures
A failure related in a deterministic way to a certain
cause, which can only be eliminated by a
modification of the design or of the manufacturing
process, operational procedures, documentation,
or other relevant factors.
Usually due to a design fault wrong component,
error in software program, etc.
AsiaPacific@exida.com
60
RANDOM
Failures
SYSTEMATIC
Failures
HOW?
HOW?
AsiaPacific@exida.com
61
RANDOM
Failures
SYSTEMATIC
Failures
Probabilistic
Performance Based
Design
HOW?
AsiaPacific@exida.com
62
SIF Design
The SIL achieved is the minimum of:
1.
2.
3.
AsiaPacific@exida.com
63
Failure Modes
With a safety system, the concern shouldnt so much be
with how the system operates, but rather how the system
fails. Safety systems can fail in two ways:
Safe failures
initiating
overt
spurious
costly downtime
Dangerous failures
inhibiting
covert
potentially dangerous
must find by testing
DxU=
AsiaPacific@exida.com
64
AsiaPacific@exida.com
65
SSDSU
DDDDU
40%
DANGEROUS
DETECTED
AsiaPacific@exida.com
66
5V ISO.
ac input
Vin
D2
1K
V1
200K
+5V
V2
10K
D1
L2
OC1
10K
AsiaPacific@exida.com
67
Failures/billion hours
Mode
Effect
R1 - 1K
short
loose filter
1 Safe
0.13
0.125
open
read logic 0
1 Safe
0.5
0.5
short
read logic 0
1 Safe
open
loose filter
1 Safe
0.5
0.5
short
overvoltage
0 Dang.
0.13
0 0.13
open
read logic 0
1 Safe
0.5
0.5
short
read logic 0
1 Safe
0.13
0.125
open
overvoltage
0 Dang.
0.5
short
read logic 0
1 Safe
open
0 Dang.
short
read logic 1
open
C1- 0.18
R2 - 200K
R3 - 10K
D1
D2
OC1
R4 - 10k
Criticality
FIT
Safe
Safe
Component
Dang. Det.
Diagnostic
Dangerous
Covered Covered
FIT
0
0.5
0.5
0.5
0 Dang.
0 Dang.
led dim
no light
1 Safe
28
28
tran. short
read logic 1
0 Dang.
19
19
tran. open
read logic 0
1 Safe
short
read logic 0
1 Safe
0.13
0.125
open
read logic 1
0 Dang.
0.5
0.5
71
38.88 32.1
Total Safe
Dang.
Safe Coverage
0.0257
Failure Rates
Dangerous
Coverage
AsiaPacific@exida.com
68
AsiaPacific@exida.com
69
E ffec t
R 1 - 10K
s h ort
T h r e s h old s hift
1 S afe
0 .13
0 .1 2 5
op en
op e n c irc u it
1 S afe
0 .5
0 .5
1 loos e in p u t p uls e
0 .5
s h ort
s h ort in p u t
1 S afe
0 .13
0 .1 2 5
1 loos e in p u t p uls e
0.12 5
op en
T h r e s h old s hift
1 S afe
0 .5
0 .5
s h ort
overvoltag e
1 S afe
1 loos e in p u t p uls e
op en
op e n c irc u it
1 S afe
1 loos e in p u t p uls e
s h ort
overvoltag e
1 S afe
1 loos e in p u t p uls e
op en
op e n c irc u it
1 S afe
1 loos e in p u t p uls e
led d im
n o lig h t
1 S afe
28
28
1 C o m p . m is m atc h
28
tran. s h o r t
read log ic 1
0 D an g .
10
10
1 C o m p . m is m atc h
10
tran. op e n
read log ic 0
1 S afe
1 C o m p . m is m atc h
led d im
n o lig h t
1 S afe
28
28
1 C o m p . m is m atc h
28
tran. s h o r t
read log ic 1
0 D an g .
10
10
1 C o m p . m is m atc h
10
tran. op e n
read log ic 0
1 S afe
1 C o m p . m is m atc h
s h ort
loos e filter
1 S afe
0 .13
0 .1 2 5
op en
in p u t float h igh
0 D an g .
0 .5
0 .5
1 C o m p . m is m atc h
0 .5
s h ort
read log ic 0
1 S afe
0 .13
0 .1 2 5
1 C o m p . m is m atc h
0.12 5
op en
read log ic 1
0 D an g .
1 C o m p . m is m atc h
0 .5
s h ort
loos e filter
1 S afe
op en
in p u t float h igh
0 D an g .
s h ort
read log ic 0
1 S afe
op en
read log ic 1
0 D an g .
s h ort
read log ic 0
1 S afe
op en
loos e filter
s h ort
op en
D1
D2
OC1
OC2
R 3 - 100K
R 4 - 10K
R 5 - 100K
R 6 - 10K
C1
C2
F IT
S afe
D a n g . D et.
D iagn o s tic
D an g erous
M od e
R 2 - 100K
C ritic ality
S afe
C om p on e n t
C overed C
F overed
IT
0 .5
0 .5
0 .13
0 .1 2 5
0 .5
0 .5
1 C o m p . m is m atc h
0 .5
0 .13
0 .1 2 5
1 C o m p . m is m atc h
0.12 5
0 .5
0 .5
1 C o m p . m is m atc h
0 .5
1 C o m p . m is m atc h
1 S afe
0 .5
0 .5
read log ic 0
1 S afe
1 C o m p . m is m atc h
loos e filter
1 S afe
0 .5
0 .5
111
8 8.75
22
T otal
S afe
D ang.
S afe C overag e
8 6.87 5
22
0 .9 7 8 9
F ailu re R ates
D a n gerou s
C overage
AsiaPacific@exida.com
70
What is?
Safe Failure Fraction: A measurement of the likelihood of
getting a dangerous failure that is NOT detected by
automatic self diagnositcs
AsiaPacific@exida.com
71
SD + SU + DD
SFF =
SD + SU + DD + DU
=1-
DU
Total
AsiaPacific@exida.com
72
SIF Design
The SIL achieved is the minimum of:
1.
2.
3.
AsiaPacific@exida.com
73
Architectural Constraints
As technology advances
it is becoming easier to
achieve the required
PFDavg.
However, PFDavg is not
the only safety metric
that needs to be
satisfied.
Architectural constraints
also need to be satisfied.
Architectural constraints
look at the Hardware
Fault Tolerance (HFT)
and the Safe Failure
Fraction (SFF) of each
subsystem to determine
if the SIL has been met
SD + SU + DD
SFF =
SD + SU + DD + DU
Copyright exida Asia Pacific 2014
Hardware Fault
Tolerance
0
< 60%
SIL 1
SIL 2
SIL 3
SIL 2
SIL 3
SIL 4
SIL 3
SIL 4
SIL 4
> 99%
SIL 3
SIL 4
SIL 4
Hardware Fault
Tolerance
0
< 60%
NA
SIL 1
SIL 2
SIL 1
SIL 2
SIL 3
SIL 2
SIL 3
SIL 4
> 99%
SIL 3
SIL 4
SIL 4
AsiaPacific@exida.com
74
AsiaPacific@exida.com
75
Example 3051S
Hardware Fault Tolerance: The quantity of failures that can
be tolerated while maintaining the safety function
Architecture
1oo1
1oo1D
1oo2
2oo2
2oo3
2oo2D
1oo2D
1oo3
Hardware
Fault
Tolerance
0
0
1
0
1
0
1
2
AsiaPacific@exida.com
76
RANDOM
Failures
SYSTEMATIC
Failures
Probabilistic
Performance Based
Design
HOW?
AsiaPacific@exida.com
77
RANDOM
Failures
SYSTEMATIC
Failures
Probabilistic
Performance Based
Design
Detailed Engineering
Process
AsiaPacific@exida.com
78
SIF Design
The SIL achieved is the minimum of:
1.
2.
3.
AsiaPacific@exida.com
79
Question?
Is Redundancy sufficient protection against SYSTEMATIC
FAILURES?
REDUNDANCY IS NOT A PROTECTION AGAINST
SYSTEMATIC FAILURES!
A single systematic fault can cause failure in multiple
channels of an identical redundant system.
example: A command was sent into a redundant DCS. The command
caused a controller to lock up trying to interpret the command. The
diagnostics detected the failure and forced switchover to a
redundant unit. The command was sent to the redundant unit which
promptly locked up as well.
AsiaPacific@exida.com
80
Equipment Capability
PFD:
Architectural Constraints
Equipment Capability
Prior Use
justification based on Proven in Use criteria
AsiaPacific@exida.com
81
Prior Use
Prior use generally means:
Documented, successful experience (no dangerous failures)
A particular version of a particular instrument
Similar conditions of use
Functionality/Application
Environment
AsiaPacific@exida.com
82
Product Certification
Functional safety certification for devices is accomplished
per IEC 61508
Products are certified to a Safety Integrity Level (SIL)
The result is typically a certificate and a certification report
SIL Certification
Vendor showed
sufficient protection
against Random and
Systematic Failures
AsiaPacific@exida.com
83
Process Industry
Mature market in Logic Solvers
and Traditional Sensors
New Market in New Technologies,
Sensors and Final Elements
Vendor Demand
In mature markets, may be cost of entry (i.e. Logic Solvers)
Establishes credibility in Safety Market
Allows introduction of Technology with Credibility
In new markets, may provide significant differentiation,
limit competition and create higher margins
AsiaPacific@exida.com
84
Market Support
The exida web site also has a list of process industry instrumentation equipment with IEC
61508 certification. With several thousand unique visitors per month, this list has become
the most popular global purchase qualification list for many buyers.
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
85
e ida
e ida
AsiaPacific@exida.com
86
AsiaPacific@exida.com
87
AsiaPacific@exida.com
88
AsiaPacific@exida.com
89
Example
The SIL achieved is the minimum of:
1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
???
AsiaPacific@exida.com
90
Example
The SIL achieved is the minimum of:
1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
SIL1
AsiaPacific@exida.com
91
Select Technology
Sensor Sub-System
Objective
Choose the right equipment for the purpose. All criteria used for
process control still applies.
Tasks
Choose equipment - IEC 61508 certification or Prior Use
Justification (IEC-61511)
Obtain reliability and safety data for the equipment
Obtain Safety Manual for any safety certified equipment
AsiaPacific@exida.com
92
D
U
Event Tree
Analysis
Block Diagram
AsiaPacific@exida.com
93
Simplified Equations
PFDavg
STR
2oo2
DU x TI
2
( DU )2 x TI 2
3
( DU )2 x TI 2
3
DU x TI
( S)2 x MTTR
2oo3
( DU) 2 x TI 2
6( S) 2 x MTTR
Voting
1oo1
1oo2
1oo2D
2 S
( S)2 x MTTR
Where:
PFDavg = Probability of Failure on Demand (average)
SFR = Spurious Failure Rate
MTTR = Mean Time To Repair
TI = Test Interval
S = Safe Detected Failures
DU = Dangerous Undetected Failures
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
94
AsiaPacific@exida.com
95
AsiaPacific@exida.com
96
AsiaPacific@exida.com
97
Management and
Planning
Analysis Phase
Realization Phase
AsiaPacific@exida.com
98
Management and
Planning
Analysis Phase
Realization Phase
AsiaPacific@exida.com
99
What is?
Proof Testing: A manually initiated test designed to detect
failure of any part of a SIF.
Different proof test procedures can have different levels of
effectiveness.
No practical proof
test will detect all
failures
AsiaPacific@exida.com
100
Mission Time
Typical simplified equations assume perfect repair
DU TI
PFDavg
2
However repair is typically not perfect
Lifetime / mission time needs to be considered
DU
CPTI
PFDavg
2
TI
1 CPTI
DU
MT
AsiaPacific@exida.com
101
10
11
12
13
14
15
AsiaPacific@exida.com
102
Spurious Trip
A spurious trip is a shutdown (taking
the process to a safe state) that occurs
when it is not needed (no demand).
Two areas of Concern:
Shutdown and Startup can be most dangerous times
Operations likes to run
STR Spurious Trip Rate = 1/MTTFS
MTTFS - Mean Time To Failure Spurious, SAFE failure
MTTFD - Mean Time To Dangerous Failure
AsiaPacific@exida.com
103
Management and
Planning
Analysis Phase
Realization Phase
AsiaPacific@exida.com
104
AsiaPacific@exida.com
105
Recent Events
Shamoon virus takes out
30,000 computers at Saudi
Aramco
US Defense Secretary issues
strong warning of cyber
attacks on US critical
infrastructure
DHS issues alerts about
coordinated attacks on gas
pipeline
operators
AsiaPacific@exida.com
106
AsiaPacific@exida.com
107
AsiaPacific@exida.com
108
Hacker
Disgruntled
employee
Network device,
software
IT Dept,
Technician
Malware
(virus, worm, trojan)
Copyright exida Asia Pacific 2014
109
Regulations
Department of Homeland Security
6 CFR part 27: Chemical Facility Anti-Terrorism
Standards (CFATS)
National Cyber Security Division
Control Systems Security Program (CSSP)
Department of Energy
Federal Energy Regulatory Commission (FERC)
18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)
AsiaPacific@exida.com
110
Standards
International Society for Automation (ISA)
ISA 62443 Industrial Automation and Control System (IACS)
Security (was ISA 99)
AsiaPacific@exida.com
111
AsiaPacific@exida.com
112
AsiaPacific@exida.com
113
AsiaPacific@exida.com
114
+
Functional Security Certification
Integrity is doing the right thing,
even if nobody is watching.
(Anonymous)
AsiaPacific@exida.com
115
AsiaPacific@exida.com
129
exida History
Founded in 1999 by experts from Manufacturers, End Users,
Engineering Companies and TV Product Services
Independent provider of Tools, Services and Training
supporting Customers with Compliance and Certification to
any Standards for Functional Safety, Cyber Security and Alarm
Management
Rainer Faller
AsiaPacific@exida.com
130
What we do
EXPERTISE
Functional
Safety
SCOPE
Tools
INDUSTRIES
CUSTOMERS
Process
End Users
Alarm
Training
Management
Energy
Manufacturer
Cyber
Security
Consultancy
Machine
Engineering
Reliability
Certification
Automotive
Integrators
AsiaPacific@exida.com
131
AsiaPacific@exida.com
132
AsiaPacific@exida.com
133
AsiaPacific@exida.com
134
AsiaPacific@exida.com
135
AsiaPacific@exida.com
136
exida Library
exida publishes analysis
techniques for functional
safety
exida authors ISA best
sellers for automation
safety and reliability
exida authors
industry data
handbook on
equipment failure
data
www.exida.com
Copyright exida Asia Pacific 2014
AsiaPacific@exida.com
137
AsiaPacific@exida.com
138